禁用 cookie 的 PHP 会话,它有效吗? [英] PHP Sessions with disabled cookies, does it work?
问题描述
今天我接受了 PHP 开发人员的 Skype 面试,其中一个问题是关于 Cookie 和 PHP 会话.
Today I had skype interview for a job as PHP developer, one of the questions asked was about Cookies and PHP Sessions.
问题是,如果在用户浏览器中禁用了 Cookie,是否可以设置和读取、使用 PHP 会话?
The question was, can PHP session be set and read, used, if Cookies are disabled in users Browser?
我告诉他们不要,因为默认情况下 PHP 会话取决于设置会话 cookie.当 PHP 会话启动时,新会话 Cookie 设置为默认名称 PHPSESSID,该 cookie 保存该会话 ID 的值,例如:ftu63d8al491s5gatuobj39gk7然后在 tmp 文件夹中的 apache 服务器上创建 sess_ftu63d8al491s5gatuobj39gk7 并保存该会话的内容,例如: test1|s:12:"SessionTest1";test2|s:12:"SessionTest2";
I told them not, beacuse PHP Sessions by default depends on setting a session cookie. When PHP session starts, new session Cookie is set with default name PHPSESSID, and that cookie holds value of that session id, for example: ftu63d8al491s5gatuobj39gk7 Then on apache server in tmp folder file sess_ftu63d8al491s5gatuobj39gk7 is created and it holds content of that session, for example: test1|s:12:"SessionTest1";test2|s:12:"SessionTest2";
他们告诉我这不是真的,即使用户在浏览器中禁用了 cookie,您也可以使用 PHP 会话.
They told me that's not true, and that you can use PHP Sessions even if user disables cookies in his browser.
然后我告诉他们你可以这样做,但是会话 ID 将作为 GET 变量通过 URL 传递.这并不安全,您必须在 php.ini 中进行设置.
Then I told them that you can do that, but then session id would be passed through URL as GET variable. And that's not secure and you must set it up in php.ini.
他们在讨论如何在浏览器中禁用 Cookie 的情况下使用 PHP 会话.如果我们正在建立网上商店,并且一些奶奶使用我们的网上商店并禁用 cookie 而她几乎不在乎怎么办.PHP Session 非常棒,因为即使用户禁用了 Cookie,您也可以使用它们.我就像wtf,wtfwtf?!?!
They were talking how you can use PHP Sessions even if Cookies are disabled in browser. And what if we are building web shop, and some granny uses our web shop and disables cookies and she joust don't care. And that PHP Sessions are great because you can use them even if user disables Cookies. I was like wtf, wtf wtf?!?!
我用两个文件进行了测试,index.php 启动会话并设置会话变量.然后 session.php 尝试读取该会话变量.
I made test with two files, index.php starts session and sets session variables. And then session.php tries to read that session variables.
这是它的样子:
index.php
<p>This is where I start and set php sessions.</p>
<?php
session_start();
$_SESSION['test1'] = "SessionTest1";
$_SESSION['test2'] = "SessionTest2";
?>
<p>This is a link, that starts new HTTP Request, and tries to read session set on this page:</p>
<p><a href="session.php">Read Session</a></p>
session.php
session.php
<?php
session_start();
var_export($_SESSION);
?>
<p><a href="index.php">Back</a></p>
现在,如果您在浏览器中启用 cookie,访问 index.php,然后访问 session.php,会话将被打印出来.
Now, if you enable cookies in your browser, visit index.php, and the visit session.php , session would be printed out.
但是,如果您清除浏览器历史记录和 cookie,然后访问 index.php,然后访问 session.php,您会看到空数组,对吗?
But, if you clear your browser history and cookies, and then visit index.php, and then visit session.php, you would see empty array right?
所以基本上我的问题是,我说得对吗?如果您在浏览器中禁用 cookie,您可以使用 PHP 会话吗?并且PHP默认的Session机制,依赖设置一个session COOKIE?
So basically my question is, am I right? Can you use PHP sessions if you disable cookies in your browser? And do PHP Session mechanism by default, depends on setting a session COOKIE?
更新:我对此很生气,所以我给和我说话的那个人回了电话.并问他,默认情况下,PHP session 可以在没有 cookie 的情况下工作吗?那人说是".然后我告诉他他错了,他说:是的,是的,如果你这么说......"然后开始大笑.然后我告诉他,如果 PHP session 可以在不设置 cookie 的情况下工作,如果它没有存储在 session cookie 中,服务器如何知道当前用户/浏览器会话 id?(我想看看他是否知道会话 ID 可以作为 GET 变量传递)而且他沉默了至少 20 秒,并告诉我他是系统管理员,我应该问那个开发人员.他今年 43 岁,拥有 13 年的商业经验(他从 30 岁开始?wtf?),但他信任我.我向他解释了 Session 是如何工作的,你可以在没有 Cookie 的情况下使用它,然后会话 ID 作为 GET 变量传递,并告诉他我在面试时告诉过他们,但他们告诉我不,不不......:S
Update: I was going mad about this, so I called back the guy I was talking with. And asked him, can PHP session work without cookies by default? The guy said "yes". Then I told him he is wrong and he said: "yes, yes, if you say so..." and start laughing. Then I told him, ok if PHP session can work without setting cookie, how would server know current user/browser session id, if its not stored in a session cookie? (I wanted to see if he knows that session id can be passed as GET variable) And he was quiet for at least 20s, and told me that he is a System Administrator, and that I should ask that the Developer guy. And that he is 43 years old and has huge experience of 13 years in the bussines (he started with 30? wtf?), but he trusts me on this one. And I explained him how Session work and that you can use it without Cookie but then session id is passed as GET variable, and told him I told them that on interview, but they ware telling me no, no no... :S
所以基本上,这个人对 PHP 和 PHP Sessions 一无所知,是的,他是那个问我关于 session 的人,告诉我 PHP Session 可以在没有 cookie 的情况下工作,即使我告诉他它不能完成,并且有一种方法可以在没有 cookie 的情况下使用 PHP 会话,但默认情况下它不会工作.他就像,不不不......最后他告诉我他认为会话可以在没有 cookie 的情况下工作,因为作为服务器上的系统管理员,他永远无法在 tmp 文件夹中看到会话?!?!?
So basically, the guy didn't have a clue about PHP and PHP Sessions, and yes he was the one that asked me about sessions telling me that PHP Session can work without cookie, even when I told him it cant be done, and that there is a way to use PHP Sessions without cookies but it won't work by default. He was like, no no no... At the end he told me that he was thinking that sessions can work without cookies because he, as System Admin on his servers, can never see sessions in tmp folder?!?!?
总之,那些家伙很烂 PHP,我不可能接受他们的工作机会,毕竟我认为他们无论如何都不会给我一份工作......
Anyway, those guys suck at PHP, there is no way I will accept job offer from them, and after all this I dont think they will offer me a job anyway...
感谢所有评论!
推荐答案
访问您网站的访问者被分配了一个唯一的 ID,所谓的会话ID.这要么存储在用户的 cookie 中侧或在 URL 中传播."
"A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL. "
这篇关于禁用 cookie 的 PHP 会话,它有效吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
